You can't vary the table name with placeholders, nor field names. They only work with values. However, if you're consistent in your naming, and only use a limited set of characters, you can test to see if input is safe, even if not valid. (for instance, only letters, digits, and underscores)

note -- '\W' matches any character not matched by '\w', which matches letters, numbers, and underscore. The list of what qualifies as a 'letter' is dependant upon your locale settings. If you wanted only ascii letters, use the following:

However, I am not familiar with DataObject. If it takes regular SQL and supports placeholders, SQL::Abstract could still be helpful.

A quick peek within the source revealed that it does quote table names and other values that you can't use placeholders for.

SQL::Abstract does quote table names and field names with whatever $self->{quote_char} is set to, which is default to empty string. At least MySQL allows to quote table and field names with backtick characters (`table_name`).

use SQL::Abstract;
my $SQL = SQL::Abstract->new(quote_char => '`');
[download]

Quoting tables and fields (selet * from `user`) is different from quoting values (where name = 'bob'). So what's the problem? You can't use placeholders on tables and fields, after all, only values. From DBI docs:

With most drivers, placeholders can’t be used for any element of a statement that would prevent the database server from validating the statement and creating a query execution plan for it. For example:

  "SELECT name, age FROM ?"         # wrong (will probably fail)
  "SELECT name, ?   FROM people"    # wrong (but may not ’fail’)
[download]

---

Open source softwares? Share and enjoy. Make profit from them if you can. Yet, share and enjoy!

I was unaware that SQL::Abstract did not quote table names. However, I am aware of the difference between placeholders and quoting (as I did a bit of pure DBI before using SQL::Abstract in conjunction with it). Your message does show the difference better than mine.